As soon as possible after the attack, you need to inform your insurer (which you hopefully have). This way they can help cover costs at a time when your business is struggling.
Then isolate the attack – identify the server or site where the breach began. This will help forensic experts contain the attack and prevent further damage.
1. Report the Incident
Regardless of whether you’ve been hit by malware, have a system go offline, or a laptop computer has been stolen containing sensitive information, it’s essential to report the incident. This can help to build trust with patients, clients, and customers that your business is handling the attack seriously and transparently, even if it’s a data breach. This report can also help to identify how the attack happened and improve your business’s cybersecurity protocols moving forward.
Hire a forensics team if you haven’t already and work to understand how the attack took place, what data was compromised (including names, dates of birth, email addresses, credit card information, and more), and how it was discovered. Your forensics team can then help you to develop your remediation plans and determine what the next steps are. Depending on the size of the attack, you may also want to consider involving law enforcement. This will help to prevent the hacker from using your compromised information to commit other crimes. You should also update and communicate your security protocols to employees as a result of the cyber attack.
2. Confirm the Incident
During this stage, your security team works to identify the nature and origin of the attack, as well as what data has been compromised. Depending on the severity of the breach, you might have to disconnect systems from the internet, quarantine certain servers, and change passwords for crucial accounts.
This is also the time to review your cybersecurity protocols and learn what can be improved. This might include patching server vulnerabilities, educating staff on how to avoid phishing scams, and rolling out technologies to better monitor insider threats.
This is also an ideal time to work with your insurer, as you will need to report the attack in order for your policy to kick in. If you’re lucky enough to have it, this will save you the hefty cost of dealing with a cyber attack on your own.
3. Contain the Incident
Dealing with a cybersecurity incident and data breach is difficult at best. Depending on the severity you may have to deal with panicked employees, screaming customers, frustrated partners and even law enforcement and regulators. Keeping a cool head and implementing your practiced plan smoothly can preserve your credibility and help you get through the crisis as quickly as possible.
Mobilize your incident response team as soon as the attack is detected. This should include security experts, legal council and forensics specialists. This team will work to identify the attack’s source and contain the damage.
Containing the incident involves taking any infected machines offline and disconnecting any core network connections – wired, wireless or mobile. It also includes resetting passwords and blocking accounts of any employees who might have been part of the attack. This step should be followed by system/network validation and testing to certify that all components are functioning and free of any malware or unauthorized entry points. You should also back up all affected systems to save the current state for forensic purposes.
4. Remediate the Incident
After confirming the breach and determining the cause, it’s time to take action. This is where the business must mobilize its cybersecurity team – including legal counsel, forensics specialists and information security professionals – and set about remediating the incident.
This involves determining the extent of the damage, such as the number of compromised systems and the amount of data stolen. It’s also a good time to work with your PR department, especially if customers were impacted by the breach.
It’s important to have short and long-term containment strategies in place, such as disconnecting affected systems from the internet, deleting sensitive files and locking down user accounts. It’s also a great time to learn from the experience and review your policies, procedures and technology solutions. This should help your organization become stronger and more resilient against future attacks. And, of course, it’s a good time to contact your insurer, if you have one, for assistance in covering the myriad costs associated with a cyber attack. They may be able to recommend cybersecurity and crisis management experts, which can help mitigate the damage.
5. Report the Incident
When an attack takes place, it is important to immediately notify everyone involved. This includes your team and the affected consumers. It is also helpful to document the incident and share it with law enforcement agencies.
The next step is to identify the cause of the incident and contain it. This may include disabling network access for computers that were infected with malware, resetting passwords on accounts that were breached, and installing security patches to address any vulnerabilities. It is also important to back up all affected systems so that they can be restored to their pre-incident state if needed.
Some cyber attacks are difficult to detect, but other signs of an attack include higher-than-normal data usage or unusual password activity. The sooner that an attack is reported, the more likely it will be to be addressed before the damage can spread.
Once the cause has been identified, it is time to begin a full forensic investigation into how and why the incident took place. This will help to reduce the risk of future attacks and mitigate damage to your company or clients.